Solved: Re: How to count until a specific number and go t...

rvalli · ‎11-29-2019

Here is my current query:

index=abc* |stats count by user,date |eval highcount=(if count >=1000,1000,count)

This gives me output like this:

user1 200 200
user2 34 34
user3 1200 1000 --> I want to stop counting for this user once high count reaches 1000 and continue counting other users as it finds.

Thanks

woodcock · ‎12-01-2019

Like this:

index=abc* 
| stats count BY user date 
| eval count = min(1000, count)

View solution in original post

woodcock · ‎12-01-2019

Like this:

index=abc* 
| stats count BY user date 
| eval count = min(1000, count)

rvalli · ‎11-30-2019

Yes please ,Yes please.

to4kawa · ‎11-30-2019

First of all, what is the purpose and duration of the search?(Do you want to count the number of users?)

Please provide a sample log.

How many items are you searching for?

rvalli · ‎11-29-2019

I think I figured:
index=abc* |stats count by user,date |eval count=(if count >=1000,1000,count)

Is there a better way to do this?

to4kawa · ‎11-29-2019

Do you want to reduce search time?

Splunk basically searches for search criteria within the search period.

How to count until a specific number and go to next value in field

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025

Are you a member of the Splunk Community?

How to count until a specific number and go to next value in field

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Data Management Digest – November 2025